Knowledge Center

Protecting against Ransom-WannaCry (May 2017)
Technical Articles ID:   KB89335
Last Modified:  9/9/2019


McAfee products that use DATs

NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com. For more information about this attack and McAfee consumer products, see: TS102675.


McAfee is aware of a new variant of ransomware that has been detected in corporate environments. Threat Name: Ransom-WannaCry (also known as WCry, WanaCrypt, WannaCrypt, and WanaCrypt0r).

Read McAfee's observations and analysis here: https://securingtomorrow.mcafee.com/business/analysis-wannacry-ransomware-outbreak/
Read McAfee's official Threat Advisory here: KB91863.
See also the information in this Technical Brief: https://www.mcafee.com/us/resources/solution-briefs/sb-how-to-protect-against-ransomware.pdf

Minimum DATs for coverage: 

  • VSE (8527) or higher * 
  • ENS (2978) or higher *

* McAfee-defined content protection against known variants.  

As a best practice, configure repository update tasks with a minimal refresh interval to ensure that new content is applied when McAfee releases it.

This article will be updated as additional information is available. Continue to monitor this document for updates.

Topics in this article

Symptoms of infected systems
VSE Access Protection rules
ENS Access Protection rules
ENS Adaptive Threat Protection – Real Protect and Dynamic Application Containment
ENS Dynamic Application Containment rules
Advanced Threat Defense coverage for WannaCry Ransomware
McAfee NSP coverage for WannaCry Ransomware
Frequently Asked Questions

Recent updates to this article
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Date Update
September 9, 2019 The link for the Ransom-WannaCry Threat Advisory was changed to KB91863.
November 20, 2017 Removed Extra.DAT file attachment and references to the Extra.DAT file.

This threat exhibits the following symptoms on infected systems:

  • Files are encrypted with the .wnry, .wcry, .wncry, .wcryt, and .wncryt extension. End users see a screen with a ransom message.
  • End users see the following Ransom-WannaCry Desktop Background:
  • On restarting, impacted systems have a blue screen error and cannot start. 
  • Encryption seen on local host and open SMB shares. IMPORTANT: Customers should immediately install the Critical Microsoft Patch MS17-010, to prevent SMB shares from becoming encrypted: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

Back to top

VirusScan Enterprise (VSE) and Endpoint Security (ENS) Access Protection Proactive Measures

NOTE: The VSE and ENS Access Protection rules will prevent creation of the .WNRY file. This rule prevents the encryption routine, which is where you will see encrypted files that contain one or more .WNCRYT, .WNCRY, or .WCRY extensions. By implementing the block against .WNRY, other blocks are not needed for the encrypted file types.

Use VSE Access Protection rules:


Rule Type: Registry Blocking Rule
Process to include: *
Registry key or value to protect: HKLM - /Software/WanaCrypt0r
Registry key or value p protect: Key
File actions to prevent: Create key or value


Rule Type: File/Folder Blocking Rule
Process to include: *
File or folder name to block: *.wnry
File actions to prevent: New files being created

Back to top

Use ENS Access Protection rules:



Inclusion: Include
File Name or Path: *


SubRule Type: Registry key
Operations: Create

Inclusion: Include
File, folder name, or file path: *\Software\WanaCrypt0r


SubRule Type: Files
Operations: Create

Inclusion: Include
File, folder name, or file path: *.wnry


Back to top


Endpoint Security (ENS) with Adaptive Threat Protection (ATP) – Real Protect and Dynamic Application Containment (DAC) 

ENS 10.5 Adaptive Threat Protection Real Protect, in conjunction with Dynamic Application Containment, provides next-generation protection against unknown exploits.

ENS with ATP provides full protection against all known variants of the WannaCry exploit. McAfee recommends the following ATP configuration for detection of unknown WannaCry variants.

  1. Configure the following setting in the Adaptive Threat Protection - Options Policy:

Rule Assignment = Security (default setting is Balanced)


  1. Configure the following rules in the Adaptive Threat Protection – Dynamic Application Containment policy:

Dynamic Application Containment – Containment Rules

See KB87843 – List of and best practices for Endpoint Security Dynamic Application Containment rules, and set the recommended DAC rules to Block as prescribed.


Back to top

ENS Dynamic Application Containment rules triggered by Ransom-WannaCry variants

This section provides additional information about observed Dynamic Application Containment rules triggered by known WannaCry variants. Additional rule enablement might not be required to effectively contain related processes not detected by other layers of the ENS security stack. See KB87843 – Best Practices for ENS Dynamic Application Containment Rues, and set the recommended DAC rules to Block as prescribed.


Rule Name: Executing any child process


Rule Name: Accessing user cookie locations


Rule Name: Creating files with the .html, .jpg, or .bmp extension


Rule Name: Creating files with the .exe extension


Rule Name: Modifying users' data folders


Rule Name: Modifying startup registry locations


Rule Name: Modifying critical Windows files and registry locations


Rule Name: Reading or modifying files on any network location


Rule Name: Modifying files with the .bat extension


Rule Name: Modifying files with the .vbs extension


Rule Name: Creating files with the .bat extension


Rule Name: Reading files commonly targeted by ransomware-class malware


Rule Name: Creating files on any network location


Rule Name: Writing to files commonly targeted by ransomware-class malware


Rule Name: Modifying the hidden attribute bit

Back to top

Advanced Threat Defense (ATD) Content Update Package for WannaCry available in the following builds, or later:

3.6.x – or later
3.8.x package – or later
3.10.x – or later
4.0 – Detection included in base install

McAfee NSP coverage for WannaCry Ransomware:

Existing signatures:

  • 0x43c0b800- NETBIOS-SS: Windows SMBv1 identical MID and FID type confusion vulnerability (CVE-2017-0143)   
  • 0x43c0b400- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144)   
  • 0x43c0b500- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145) 
  • 0x43c0b300- NETBIOS-SS: Microsoft Windows SMB Out of bound Write Vulnerability (CVE-2017-0146)                                                                              
  • 0x43c0b900- NETBIOS-SS: Windows SMBv1 information disclosure vulnerability (CVE-2017-0147)                                
The NSP Research Team has reviewed the information for CVE-2017-0148 and has created a UDS.  The UDS is available from KB55447, which is available only to registered users. Log on to https://support.mcafee.com and access the article. 

Back to top

Frequently Asked Questions about Ransom-WannaCry

Will having McAfee Application Control (MAC) in block mode help prevent the infection?
Yes, because MAC blocks any new hash values that are not whitelisted.

Does a combination of Threat Intelligence Exchange (TIE) and ATD blocks this threat on Day 0?
TIE and ATD contained several 0-day WannaCry samples. For those that were missed, further intelligence was added to the cloud, that picked up subsequent WannaCry variants as 0-day. ATD also released content updates that were specific to WannaCry. These content updates are available in current builds.

Why are you naming the Access Protection rules generically?
Rule names make no impact on the rule itself and can be named anything you want.

Shouldn't the software key use ‘\’ and not ‘/’ ?
‘\’ is the correct syntax one would enter, but the point product will modify the path and replace all ‘\’ with ‘/’ so that is the reason behind this syntax.

Shouldn't the file extension rule be: **\*.wnry ?
No. Because VSE and ENS use different wildcard syntax, it is best to use *.wnry, as both can use this rule properly.

What Daily DAT file will this be released in?
VSE DAT 8527 or later
ENS DAT 2978 or later

Rate this document


This article is available in the following languages:

English United States
Spanish Spain

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.